cookies, sessions , and security

Question

I came up with my own way to protect the moderators on my site. First, I know that a hacker could hijack my session. So what I did was to add a cookie to the moderator and set my algorithm on how to set and unset those cookies.

First, precaution that I took is this when the moderator logs in:

        if('Moderator'==is_monitor($name))//function finds who is the user
        {
            ini_set('session.use_only_cookies',true);
            session_start();
            $password_hash = hash('sha256',$salt.hash('sha256', $pass));
            $_SESSION['mod_identify']=$password_hash;
            if(!isset($_Cookie['adderss']))
            {
              setCookie("adderss",$ip_address,time()+60*60*24*365*5,"/");
            }

Then I use this to reset the sessions on every page:

if(!isset($_SESSION))
{
   start_session(); // all sessions should be reset with a new id
}

The question is whether setting a cookie for many pages is a burden on the moderator?!?

Do you think that my way is secure enough against session/cookie hijacking?

Answer 1

No. Use HTTPS - which uses SSL - if you want to prevent session hijacking. Also, never store the password of some user's account in the session if that's what $pass is.

Alternatively, you could use a Session wrapper class like this one. Note that this will not protect against session hijacking, rather it simply encrypts the data stored therein.

Also, unless you've created your own custom function named "start_session()", then session_start() is the function you want to call to start sessions.

If you want to redirect users to HTTPS, you can do it with apache's mod_rewrite in your .htaccess file like so:

RewriteCond %{REQUEST_URI} =/admin
RewriteCond %{HTTPS} off
RewriteRule ^(.*) https://%{HTTP_HOST}%{REQUEST_URI}

Or something similar, depending on where you want users to be using secure sockets layer.